User with only 'Permissions' Role cannot modify or assign permissions to users/groups.

• Error observed in the vSphere Client while modifying or assigning permission to a group:

Permission to perform this operation was denied.

You do not hold privileges "folder group-d1 : [Datastore > Browse datastore,

Global > Cancel task,

Virtual machine > Change Configuration > Add existing disk,

Virtual machine > Change Configuration > Add new disk,

Virtual machine > Change Configuration > Add or remove device,

Virtual machine > Change Configuration > Advanced configuration,

Virtual machine > Change Configuration > Change CPU count]" 

OR

Edit Permission Failed! Not enough privileges to execute this action.

• From the "/var/log/vmware/vsphere-ui/logs/vsphere_client_virgo.log" log, we see the permission to perform this operation was denied.

[YYYY-MM-DDTHH:MM:SS] [ERROR] p-nio-127.0.0.1-5090-exec-13 70000391 100021 200011 c.vmware.vsphere.client.security.impl.PermissionMutationProvider  Failed to set entity permissions com.vmware.vim.binding.vim.fault.NoPermission: Permission to perform this operation was denied.

vCenter Server Appliance 8.x

vCenter Server Appliance 7.x

The default 'Permission' role gives a user privileges to modify or assign permissions to users/groups.

However, the user assigned to 'Permissions' role must have other privileges to be able to modify/assign permissions to users/groups to the roles with similar privileges.

Create a Custom role with privileges from the 'Permissions' role and privileges from other roles that the admin user want to be able to modify/assign permissions to the users/groups.

Example: If User-A is member of a Custom role with privileges from the 'Permissions' role and 'Tagging Admin' role.

Scenario 1: While User-B, don't have any permissions, User-A can assign 'Tagging Admin' role to User-B.

Scenario 2: If User-B is assigned to any other roles that User-A is not a member of, like 'create vm' role, the User-A cannot modify User-B's permissions.